Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
- use the correct private data for each PAM task
- make proxy_pam_target a mandatory option for auth, chpass and access
|
|
|
|
|
|
This patch add support for the host, source host and user category
'all'. All other category values are ignored so far. With the patch the
interpretation of an empty memberUser and empty sourceHost and
externalHost is changed to 'not applicable'.
|
|
|
|
Refactor user/group delete functions so that they can be used without a
transaction (they autostart an operation).
Add user and group search function where a subfilter can be specified.
|
|
|
|
Currently the Kerberos child handler evaluates the siginfo_t structure
to wait for a specific child. This scheme is prone to error, especially
when there are more than one child process active, and can produce
missleading debug message. This patch simplifies the scheme as it waits
for any child.
|
|
When possible using a macro that correctly deals with tstate
|
|
The counter was not set so we were storing only the first user for each
anumeration.
|
|
|
|
|
|
|
|
|
|
These functions should be used by providers to centrally manage lists of
servers. Servers are grouped into services and each service has it's own
list of servers. If, however, you will try to add a same server into two
different services, they will share a common structure. This means that
a host will only be resolved once.
|
|
|
|
The size of sdap_async.c was unmanageable.
This patch splits it into a generic file with common infrastructure calls,
a file that handles connection calls and a file for id related calls.
|
|
Split enum task in a separate file.
|
|
This code removes redundancies in the code.
both users and groups enumeration code use the same search generic search
function now.
Also the code to save users and groups have been unified across all callers.
|
|
This call was failing and was defective because it didn't properly handle the
various different schemas we support.
Now the function does 2 things:
- Updates the user entry to make sure it is still valid
- Retrieves every group the user is member of
|
|
This remove redundant code and also allows the generic search to be used to use
maps to convert attributes.
|
|
Also change the interface of sdap_save_user_send() so that it can be more
easily reused like it was done for sdap_save_group_send().
|
|
|
|
|
|
Also start adding some infrastructure to use the USN counter when available.
In particular add a place to add generic attrs mapping, ie attributes that are
neither user nor group specific.
|
|
The 'Unable to load' debug message is now only shown when the backend
target is given explicitly in the config file. I the other case we
let the caller decided how to handle this error condition.
|
|
|
|
|
|
Also fic sdap_get_generic_send() to be a bit more "generic" :-)
Also figs bugs within it.
This patch allow us 2 good things.
A) we check that the server effectively supports GSSAPI auth before we try to
use it.
B) against IPA it substantially cuts delays when the server is offline because
it uses a 5 second async timeout on the connection and doesn't try to do a
slow synchronous kinit+sasl_bind if the server is not even available.
|
|
Do not replicate every and each option we may want to set in ipa.
Just read out ldap and krb provider options (added reference in the manual too,
and removed mention of ipa specific timeout values, use ldap options for that)
Avoid calling auth module initialization twice, just pass the auth context to
the chpass module too.
Add a new ldap option SDAP_SEARCH_BASE, so that a single searching base can be
used for both users and groups. the user and group search bases can still be set
separately if necessary but they are now optional and set to be identical to
SDAP_SEARCH_BASE if not explicitly specified in the configuration.
|
|
This patch uses a wrapper to kill the ldap connection when we are marked
offline. This also makes sure we do not try to reuse a bad connection handler
after a fatal error.
|
|
The providers are now responsible for determining how long a cached
entry is considered valid. The default is the same as before (600s)
|
|
Nested groups weren't properly handled.
Add 2 pass strategy to update groups memberships
Stuff work as expected when enumeration is enabled now.
|
|
|
|
We were not copying IPA named options to the ldap id options list.
So the ldap_id provider was always using just the default settings.
|
|
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
|
|
|
|
|
|
|
|
|
|
Go offline in case of hard errors too. It makes no sense to keep trying too
often when you have bad credentials for example.
Also delay starting the enumeration thread so that we finish initializations
first (bind to ldap is still a blocking operation and this may interfere with
clients/monitor registrations).
|
|
|
|
First step generate ldap options from ipa options.
Add sssd-ipa man page too.
|
|
|
|
|